b"MEMORANDUM\n\nTO            :      Frank S. Holleman, III\n                     Deputy Secretary\n                     Office of the Deputy Secretary\n\n                     Scott S. Fleming\n                     Assistant Secretary\n                     Office of Legislation and Congressional Affairs\n\nFROM          :      John P. Higgins, Jr.\n                     Acting Assistant Inspector General\n                     Analysis and Inspection Services\n\nSUBJECT       :      Results of the OIG Review of OS/ODS/OLCA's Internal Controls\n                     Over the Procurement of Goods and Services (A&I 2000-010)\n\n\nINTRODUCTION\n\nThis memorandum transmits the results of our review of OS/ODS/OLCA's internal\ncontrols over the procurement of goods and services. We reviewed these three offices\ntogether because the offices share an Executive Office and Executive Officer. This\nreview is part of OIG's Department-wide review of this area. The Department\xe2\x80\x99s\nmanagement is responsible for establishing and maintaining internal controls. We will\ntransmit the Department-wide results to you and the other Assistant Secretaries and\nsenior staff when we complete our review. On August 11, 2000, OIG staff met with\nDiane Rogers, Chief of Staff to the Deputy Secretary, Steve Moore, Senior Management\nAdvisor, and JoAnn Ryan, Executive Officer, to discuss the results of this review.\n\nRESULTS\n\nDuring our review, we identified instances of noncompliance with the Federal\nAcquisition Regulation (FAR), Prompt Payment Act and current Department policies and\nprocedures:\n\n3 The FAR requires the solicitation of quotes or offers from a reasonable number of\n  sources or sole-source justification for any purchase of more than $2,500. When\n  using GSA schedules, the purchaser must review at least three schedules and then\n  select the best value. Purchases cannot be split to fall below the $2,500 threshold to\n\x0c   avoid these procedures. We identified seven transactions by purchase card that\n   appear to have been split to fall below the threshold or below a cardholder\xe2\x80\x99s single\n   purchase limit. We also noted that there was no documentation of oral bids or sole-\n   source justification for a $2,755 purchase of furniture.\n\n\xc3\xbc We identified five invoices that appear not to have been paid (one by purchase card\n  and four by TPDS checks) in accordance with the Prompt Payment Act.\n\n\xc3\xbc We were informed that purchase cards were shared among employees with\n  management\xe2\x80\x99s knowledge. During our review, we identified seven transactions\n  where the receipt or invoice was either issued to or signed by someone other than the\n  cardholder. The Department\xe2\x80\x99s Directive on Commercial Credit Card Service states:\n  \xe2\x80\x9cEach card has the cardholder\xe2\x80\x99s name embossed on it and may be used only by that\n  person. No one else is authorized to use the card.\xe2\x80\x9d\n\nWe identified certain deficiencies, in addition to the instances of noncompliance\nidentified above, that prevent OS/ODS/OLCA from satisfying GAO\xe2\x80\x99s Standards for\nInternal Control in the Federal Government. For your information and corrective action,\nwe have listed those deficiencies in the attached chart (Attachment A). In the future, we\nanticipate conducting a follow-up review to assess the actions you have taken to satisfy\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n\nIn addition, we want to advise you and OS/ODS/OLCA managers of inherent\nvulnerabilities we identified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency reasons, the Department designed a purchase card\n  system where cardholders can order, receive and approve payments for goods and\n  services. Consequently, as a control, the Department established approving officials\n  to review the use of purchase cards. Therefore, it is important that approving officials\n  properly review all cardholder statements, including invoices, before forwarding them\n  to OCFO for payment.\n\n\xc3\xbc Third Party Draft System (TPDS) \xe2\x80\x93 An individual with signature authority can issue\n  TPDS checks without the involvement of anyone else. Therefore, it is important that,\n  at a minimum, the supervisor of the individual with signature authority conduct\n  periodic reviews of TPDS disbursements.\n\nDuring our review, we noted that one staff member assigned a purchase card is below the\ngrade level (GS-9) required to receive annual ethics training. Because of the employee\xe2\x80\x99s\nprocurement responsibilities, we believe that ethics training would be beneficial to this\nstaff member. Management should require all procurement staff to attend annual ethics\ntraining.\n\x0cOBJECTIVE\n\nOur review objective was to assess the internal controls over compliance with laws and\nregulations for the procurement of goods and services other than studies or evaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters). We limited\ntesting of accounting records to procurements using purchase cards and the Third Party\nDraft System (TPDS). We did not conduct testing on OS/ODS/OLCA\xe2\x80\x99s use of\n\xe2\x80\x9cCorporate\xe2\x80\x9d Government Travel Accounts.\n\nMETHODOLOGY\n\nTo achieve our objectives, we conducted interviews with OS/ODS/OLCA staff involved\nwith the procurement process, and we reviewed relevant documents. As part of our\nwork, we reviewed samples of TPDS checks and purchase card transactions. For the\nTPDS, we selected a random sample of 50 TPDS checks issued between October 1998\nthrough September 1999 (FY 1999). We judgmentally selected a sample of monthly\npurchase card statements dated between October 16, 1998 and May 16, 2000. Then we\nselected 50 transactions to review. We also reviewed OS/ODS/OLCA\xe2\x80\x99s monthly\npurchase card statements in OCFO\xe2\x80\x99s Financial Management Policy and Administrative\nPrograms Group files for the months of September 1999 and March 2000.\n\nWe based our conclusions about OS/ODS/OLCA\xe2\x80\x99s internal controls on the information\ngathered during our interviews and transaction testing. We conducted our interviews and\ntransaction testing between May 8, 2000 and July 11, 2000.                We assessed\nOS/ODS/OLCA's internal controls based on GAO's Standards for Internal Control in the\nFederal Government issued November 1999. Attachment B to this memorandum\ncontains a summary of the GAO Standards. We conducted our work in accordance with\nthe President's Council on Integrity and Efficiency (PCIE) Quality Standards for\nInspection dated March 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please contact me at 205-5439.\n\n\nAttachments\n\x0c                                                                          Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exerts a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n       Precondition: establishment of clear and consistent agency objectives.\n\n       Risk assessment : the comprehensive identification and analysis of relevant risks\n       associated with achieving agency objectives, like those defined in strategic and\n       GPRA annual performance plans, and forming a basis for determining how the\n       agency should manage risks.\n\n       Risk identification: methods may include qualitative and quantitative ranking\n       activities, management conferences, forecasting and strategic planning, and\n       consideration of findings from audits and other assessments.\n\n       Risk analysis: generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n       likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0c                                                                                                                  Attachment A\n\nInternal Control Evaluation Form for the Office of the Secretary, Office of the Deputy Secretary and the\nOffice of Legislation and Congressional Affairs\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Noncompliance \xe2\x80\x93 As mentioned in the cover memorandum and described below, we identified instances\n                         of noncompliance with the FAR, Prompt Payment Act and current Department policies.\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 The Executive Office has no formal procedures for risk assessment in the\n                          procurement area.\n                      \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 One procurement staff member has been assigned a moderate risk level when\n                          the employee\xe2\x80\x99s responsibilities suggest that a high risk level is more appropriate. Another procurement\n                          staff member has been assigned a low risk level when the employee\xe2\x80\x99s responsibilities suggest that a\n                          moderate risk level is more appropriate.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service (C:FIM:6-102) dated March 12, 1990, the Executive Office has no written policies and\n                          procedures on the purchase card process.\n                      \xe2\x80\xa2   Purchase Cards \xe2\x80\x93 We reviewed the September 1999 and the March 2000 statements from OCFO files.\n                          Our purpose was to verify that the Executive Office had submitted all its monthly card statements with\n                          activity to OCFO and that the approving official had signed the card statements. We also judgmentally\n                          selected and reviewed 50 purchase card transactions.\n                          \xe2\x99\xa6 Approval \xe2\x80\x93 We noticed that most transactions did not have evidence of preapproval.\n                          \xe2\x99\xa6 Review of Monthly Statements:\n                              \xe2\x80\xa2 For September 1999, there were six cards with activity. One statement was missing from\n                                  OCFO\xe2\x80\x99s files and the other five were not signed by the approving official.\n                              \xe2\x80\xa2 For March 2000, there were six cards with activity. All statements were signed by the approving\n                                  official.\n                          \xe2\x99\xa6 Documentation \xe2\x80\x93 Invoices were missing for two charges of $249.90 and $9,683.91.\n\x0cControl Component   Deficiencies\n                       \xe2\x99\xa6 Documentation \xe2\x80\x93 Our sample included three charges from a commercial printer.\n                           \xe2\x80\xa2 A charge for $1,090 was supported by a receipt and the copy of an e-mail message indicating\n                               Executive Officer approval of the transaction. There was no documentation explaining the use of\n                               a commercial printer.\n                           \xe2\x80\xa2 A charge for $20.33 was supported by a credit card receipt. There was no documentation of\n                               approval or explanation for the use of a commercial printer.\n                           \xe2\x80\xa2 There was no receipt for the third charge of $69.89. There also was no documentation of\n                               approval or explanation for the use of a commercial printer.\n                       \xe2\x99\xa6 Card Sharing \xe2\x80\x93 As mentioned in the cover memorandum, we were informed that purchase cards were\n                           routinely shared among office staff with management\xe2\x80\x99s knowledge. During our review, we identified\n                           seven transactions where the receipt or invoice was either issued to or signed by someone other than\n                           the cardholder.\n                       \xe2\x99\xa6 Compliance/Split Procurements \xe2\x80\x93 As mentioned in the cover memorandum, we noted seven\n                           transactions that appear to have been split to either fall below the $2,500 micro-purchase threshold or\n                           the cardholder\xe2\x80\x99s single purchase limit. For example:\n                           \xe2\x80\xa2 Three sequentially numbered invoices ($755, $2,054 and $1,995) for related products from the\n                               same vendor were charged on the same day and assigned sequential EDCAPS transaction\n                               numbers. There was no documentation of oral bids or justification for a sole-source purchase.\n                           \xe2\x80\xa2 One invoice for $10,894 was charged to a cardholder with a single purchase limit of $10,000 in\n                               two amounts of $5,000 and $5,894 on the same day. There was no documentation of oral bids or\n                               justification for a sole-source purchase.\n                       \xe2\x99\xa6 Compliance/Prompt Payment \xe2\x80\x93 As mentioned in the cover memorandum, one invoice appears to not\n                           have been paid in accordance with the Prompt Payment Act. On February 25, 2000, a purchase card\n                           was used to pay a $6,000 invoice that was due October 1, 1999. No interest was paid at that time.\n                       \xe2\x99\xa6 Recording in EDCAPS \xe2\x80\x93 We were unable to trace 10 charges to the purchase card expenditures on an\n                           EDCAPS report using the EDCAPS transaction numbers listed on the monthly statement.\n                       \xe2\x99\xa6 Payment of Tax \xe2\x80\x93 Six invoices were paid that included a charge for tax.\n                    \xe2\x80\xa2 TPDS Checks \xe2\x80\x93 We randomly selected 50 TPDS checks to review. During our review, no\n                       documentation was provided for two checks. On July 26, 2000, subsequent to our review, the\n\x0cControl Component   Deficiencies\n                       documentation for those two checks was provided.\n                       \xe2\x99\xa6 Approval \xe2\x80\x93 Of the 48 checks we were able to review, five Form 1164s (employee reimbursement)\n                           were not signed by the approving official. Supporting documents for four other transactions did not\n                           include evidence of approval.\n                       \xe2\x99\xa6 Documentation \xe2\x80\x93 Of the 48 checks we were able to review, we noted documentation problems with\n                           eight checks. For example:\n                            \xe2\x80\xa2 Payment of $1,288 to an ED employee supported by a January rent receipt for $730 and a hand\n                               written note, but no claim signature by the employee.\n                            \xe2\x80\xa2 Payment of $69 to an ED employee supported by a Form 1164 that totaled only $43.\n                            \xe2\x80\xa2 Payment of $1,144 for housing and per diem to an individual on an Intergovernment Personnel\n                               Assignment supported by an August rent receipt of $825, an e-mail regarding travel in August,\n                               hand written calculations and pages from an Intergovernment Personnel Assignment Agreement.\n                               The numbers in the hand written calculations were not labeled. There was no claim signature by\n                               the individual receiving the payment.\n                            \xe2\x80\xa2 A payment to Federal Express for $144.18 supported by an invoice for $257.99. The same\n                               invoice number was also referenced to an additional check for $144.18 issued the day before.\n                       \xe2\x99\xa6 Date Stamping \xe2\x80\x93 None of the invoices were date stamped upon receipt.\n                       \xe2\x99\xa6 Compliance/Prompt Payment \xe2\x80\x93 As mentioned in the cover memorandum, four invoices appear to not\n                           have been paid in accordance with the Prompt Payment Act.\n                       \xe2\x99\xa6 Compliance/Bids \xe2\x80\x93 Only one of the checks was subject to multiple bids. As mentioned in the cover\n                           memorandum, there was no documentation of multiple bids or sole-source justification for the\n                           purchase of furniture for $2,755. In addition, there was no invoice.\n\nInformation &       \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 Only one member of the procurement staff we interviewed was\nCommunications          familiar with the Department\xe2\x80\x99s Directive on Commercial Credit Card Service.\n\nMonitoring          \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDS checks does\n                        not perform periodic reviews of the EDCAPS reports on the checks issued by the Executive Office.\n\x0c"